Analysis Overview
SHA256
f09de828728d005bf938cd0de9529edb677da888dcdec5f0fc3a2862553e5ebf
Threat Level: Known bad
The file 6a65e9327e7c893a50348c396032696f was found to be: Known bad.
Malicious Activity Summary
MrBlack trojan
MrBlack Trojan
Mrblack family
Executes dropped EXE
Modifies init.d
Reads system routing table
Checks CPU configuration
Write file to user bin folder
Writes file to system bin folder
Reads system network configuration
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 04:54
Signatures
MrBlack trojan
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Mrblack family
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 04:54
Reported
2023-12-23 09:30
Platform
ubuntu1804-amd64-20231222-en
Max time kernel
151s
Max time network
148s
Command Line
Signatures
MrBlack Trojan
MrBlack trojan
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/bin/bsd-port/getty | /usr/bin/bsd-port/getty | N/A |
| N/A | /usr/bin/.sshd | /usr/bin/.sshd | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/DbSecuritySpt | N/A | N/A |
| File opened for modification | /etc/init.d/selinux | N/A | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | N/A | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/bin/bsd-port/getty | /bin/cp | N/A |
| File opened for modification | /usr/bin/.sshd | /bin/cp | N/A |
| File opened for modification | /usr/bin/bsd-port/getty.lock | N/A | N/A |
| File opened for modification | /usr/bin/bsd-port/udevd.lock | N/A | N/A |
| File opened for modification | /usr/bin/dpkgd/lsof | /bin/cp | N/A |
| File opened for modification | /usr/bin/lsof | /bin/cp | N/A |
| File opened for modification | /usr/bin/bsd-port/conf.n | N/A | N/A |
| File opened for modification | /usr/bin/dpkgd/ps | /bin/cp | N/A |
| File opened for modification | /usr/bin/dpkgd/ss | /bin/cp | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/ps | /bin/cp | N/A |
| File opened for modification | /bin/ss | /bin/cp | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | N/A | N/A |
| File opened for reading | /proc/net/route | N/A | N/A |
| File opened for reading | /proc/net/arp | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cmdline | /sbin/insmod | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/meminfo | N/A | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/stat | N/A | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/cmdline | /sbin/insmod | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/gates.lod | N/A | N/A |
| File opened for modification | /tmp/notify.file | N/A | N/A |
| File opened for modification | /tmp/conf.n | N/A | N/A |
| File opened for modification | /tmp/moni.lod | N/A | N/A |
| File opened for modification | /tmp/bill.lock | N/A | N/A |
Processes
/tmp/6a65e9327e7c893a50348c396032696f
[/tmp/6a65e9327e7c893a50348c396032696f]
/bin/sh
[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]
/bin/ln
[ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]
/bin/sh
[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]
/bin/ln
[ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]
/bin/sh
[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]
/bin/ln
[ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]
/bin/sh
[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]
/bin/ln
[ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]
/bin/sh
[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]
/bin/ln
[ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]
/bin/sh
[sh -c mkdir -p /usr/bin/bsd-port]
/bin/mkdir
[mkdir -p /usr/bin/bsd-port]
/bin/sh
[sh -c mkdir -p /usr/bin/bsd-port]
/bin/mkdir
[mkdir -p /usr/bin/bsd-port]
/bin/sh
[sh -c cp -f /tmp/6a65e9327e7c893a50348c396032696f /usr/bin/bsd-port/getty]
/bin/cp
[cp -f /tmp/6a65e9327e7c893a50348c396032696f /usr/bin/bsd-port/getty]
/bin/sh
[sh -c /usr/bin/bsd-port/getty]
/usr/bin/bsd-port/getty
[/usr/bin/bsd-port/getty]
/bin/sh
[sh -c mkdir -p /usr/bin]
/bin/mkdir
[mkdir -p /usr/bin]
/bin/sh
[sh -c mkdir -p /usr/bin]
/bin/mkdir
[mkdir -p /usr/bin]
/bin/sh
[sh -c cp -f /tmp/6a65e9327e7c893a50348c396032696f /usr/bin/.sshd]
/bin/cp
[cp -f /tmp/6a65e9327e7c893a50348c396032696f /usr/bin/.sshd]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]
/bin/ln
[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]
/bin/ln
[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]
/bin/ln
[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]
/bin/ln
[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]
/bin/sh
[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]
/bin/ln
[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]
/bin/sh
[sh -c /usr/bin/.sshd]
/bin/sh
[sh -c mkdir -p /usr/bin/dpkgd]
/bin/mkdir
[mkdir -p /usr/bin/dpkgd]
/usr/bin/.sshd
[/usr/bin/.sshd]
/bin/sh
[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]
/bin/cp
[cp -f /bin/ps /usr/bin/dpkgd/ps]
/bin/sh
[sh -c mkdir -p /bin]
/bin/mkdir
[mkdir -p /bin]
/bin/sh
[sh -c mkdir -p /bin]
/bin/mkdir
[mkdir -p /bin]
/bin/sh
[sh -c cp -f /usr/bin/bsd-port/getty /bin/ps]
/bin/cp
[cp -f /usr/bin/bsd-port/getty /bin/ps]
/bin/sh
[sh -c chmod 0755 /bin/ps]
/bin/chmod
[chmod 0755 /bin/ps]
/bin/sh
[sh -c cp -f /bin/ss /usr/bin/dpkgd/ss]
/bin/cp
[cp -f /bin/ss /usr/bin/dpkgd/ss]
/bin/sh
[sh -c mkdir -p /bin]
/bin/mkdir
[mkdir -p /bin]
/bin/sh
[sh -c mkdir -p /bin]
/bin/mkdir
[mkdir -p /bin]
/bin/sh
[sh -c cp -f /usr/bin/bsd-port/getty /bin/ss]
/bin/cp
[cp -f /usr/bin/bsd-port/getty /bin/ss]
/bin/sh
[sh -c chmod 0755 /bin/ss]
/bin/chmod
[chmod 0755 /bin/ss]
/bin/sh
[sh -c cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]
/bin/cp
[cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]
/bin/sh
[sh -c mkdir -p /usr/bin]
/bin/mkdir
[mkdir -p /usr/bin]
/bin/sh
[sh -c mkdir -p /usr/bin]
/bin/mkdir
[mkdir -p /usr/bin]
/bin/sh
[sh -c cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]
/bin/cp
[cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]
/bin/sh
[sh -c chmod 0755 /usr/bin/lsof]
/bin/chmod
[chmod 0755 /usr/bin/lsof]
/bin/sh
[sh -c insmod /usr/bin/bsd-port/xpacket.ko]
/sbin/insmod
[insmod /usr/bin/bsd-port/xpacket.ko]
/bin/sh
[sh -c insmod /tmp/xpacket.ko]
/sbin/insmod
[insmod /tmp/xpacket.ko]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 1.1.1.1:53 | fk.appledoesnt.com | udp |
| CN | 61.147.103.6:55000 | tcp | |
| US | 193.221.95.203:30000 | fk.appledoesnt.com | tcp |
| US | 151.101.66.49:443 | tcp | |
| GB | 89.187.167.5:443 | tcp | |
| CN | 61.147.103.6:55000 | tcp | |
| US | 193.221.95.203:30000 | fk.appledoesnt.com | tcp |
Files
/tmp/gates.lod
| MD5 | 4e9cec1f583056459111d63e24f3b8ef |
| SHA1 | 7c753b72486156bc11e7416305a9c87ada24439e |
| SHA256 | 46b724b2f85d4f7bd485423a04bcf2cffb2c22304fe264aa4da31794b7adae41 |
| SHA512 | 62849303717bb0749a0977adba43667767a3f7c55b5ff17e57513c90c2dff495cf364e4f959887f9261e5e6b8aeda47b615189bfe44b1ca897e37fb3e43ee365 |
/etc/init.d/DbSecuritySpt
| MD5 | dd73a0ce3f569c5a0d76de74401a5798 |
| SHA1 | 641c5542452e9314bcf9cff2f08bf7d3234aed8f |
| SHA256 | 865c89d53e264374f7e4afd9bbd64a1c9a9654cd0a28c8c976d770139f50f0fa |
| SHA512 | 5478f6da0f68fe4462536b315abf002923cc32813c1e97647d87412094f2f559afefb64116862ec142aee6f0b1fe4d492419b8c69ed4637b37e1dc5fda45b22d |
/usr/bin/bsd-port/getty
| MD5 | 6a65e9327e7c893a50348c396032696f |
| SHA1 | 752284ca96950d96c1eeb991d6e5d411a9fac65b |
| SHA256 | f09de828728d005bf938cd0de9529edb677da888dcdec5f0fc3a2862553e5ebf |
| SHA512 | 242a3100839b73a76a721744606292c74942035e94fdb35aca8f58993caf972d78e8c0195a139758f74c2f3c58b97e9b2ede41e93ce2c2aa52db008975cbc8e6 |
/tmp/notify.file
| MD5 | b31ff023ec1aee3aefb61af256c279d0 |
| SHA1 | 968fa825f798b87820abfde52b2358b8c1d3e604 |
| SHA256 | cd767f87d239ade6e4b7cd4dbfe4501c0b457382982f0376d0608eddd52e99e1 |
| SHA512 | 7f70d220f510994ea97191ceee543a6b5efd7eee53fac287b0439ee0b2e063797c524ef10938be30aa06fdd723ecd539c3168c5b5f8ccaadaf9cc1f4098de008 |
/usr/bin/dpkgd/ss
| MD5 | 1dc929b5f2cd12fe6a2fe71140d2a9e3 |
| SHA1 | f9995a92bb201b1b7738a39a38570ef0c40b52d2 |
| SHA256 | 418aae1da62554afe9f260866267af328fd761b3fd6f90f0ea53d543e2fefc38 |
| SHA512 | fbed011c595084548db440dfbe485b7d27032a44a6ae9e141fe43f31c8c524ff9347135ab035deb441fca99e5a3794f7bb9194f148aa2f60f1547a7c67d47373 |
/usr/bin/dpkgd/lsof
| MD5 | e093dc78225e2a0a25e3b137c1c1e442 |
| SHA1 | c29497cfaae729eb576875e4fdfa400640ab16be |
| SHA256 | 1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e |
| SHA512 | fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0 |
/tmp/moni.lod
| MD5 | 96de2547f44254c97f5f4f1f402711c1 |
| SHA1 | 9d93f8113d6ac60e97d0769efd6f167a812f620b |
| SHA256 | 3cc16f8f6eede20fc56248b7da32561c5996a6d44fdabcbe3fd965d016a0d29c |
| SHA512 | 9f259a9a75670b392f770060fca9c0a04c7acd6fefffd5ad5e11a90bbfa7f23f152921ec41c6887464dc02ef9b4d61309cd7d992ff0817d28333147d94add4a1 |
/usr/bin/bsd-port/conf.n
| MD5 | 1e45e1b3598ec16292269c28b19243f9 |
| SHA1 | a3b2cb046bccc74dd7a06667f53a97f525fce860 |
| SHA256 | 83ea3bbfc2daeed1029dfc8a37cb3f0d70afdbda48a8e1eb659f605d7bfb8bbf |
| SHA512 | d929fa04e2dd9d9ca5471bf7b25a7cf590c1087432ea4e8055e55f288a0587b1bb8e10cf90c8d53353c32a56ed9bdfeb027d841dac3fd98c42665e2f6b5ef8d9 |
/usr/bin/bsd-port/conf.n
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |